The Infocomm Development Authority of Singapore (IDA) said vulnerability in a Google search bar within the sites was targeted and that the integrity of both sites had not been compromised.

Separately, IDA said it observed an "unusually high" amount of traffic to many government websites on 5 November – which indicated attempted cyber-intrusions.

Ok so lets take this into perspective before blowing things out of proportion

Hacking is not like what you see in the movies, a few keystrokes and you are in. It is definitely way more than that

ONLY NOOBS attempt DDOS attacks, this typically comes from people who have nmaps, kismet, sqlmap etc installed (these are the PUBLICLY available tools), some might even throw in age old worms like the Nimbda virus for kicks

In any form of hacking, the weakest chain is ALWAYS HUMANS

Social engineering

Never changing password

Use obvious passwords

Use SAME passwords etc

Ok, so lets now look at the PMO case from a white hat perspective:

Firing up the website, all content looks pretty normal.

What is interesting is that all seems to be static content and comes with an ETag(meaning the content should be cached locally) and sent gzipped (which typically means a load balancer or some hardware device is proxying the content). Other identifying headers are also stripped out, so this should be a typical hardened server, not easy to hack into!

A simple ping test reveals that the content is hosted on akamai –> PURELY static content, which means hacking this is a waste of time, there is probably an admin interface or better still backend job that syncs the content over, and which you will never have direct access to.

Just to be sure, an attempt to a non-existent page is tried. Conclusion is still the same, no point hacking this server.

Looking further at the site, we find a search bar. Now anyone with some IT background would know that a search bar displays DYNAMIC results so this cannot be cached by akamai i.e possible target to attempt non intrusive take over

Doing a simple search which comes up in a POP UP windows (indicating something that was not changed for ages) throws up the following screen and gems

A host :wasdc.shine.gov.sg which resolves to an ip address

Which belongs to IDA

A request timed out ping also indicates that the server has been hardened and possibly have a RDP port outside of 3389 as well as no other open ports except port 80.

Now from the headers, it indicates IIS7.5, which means that it is running Windows Server 2008 R2.

So back to the server. In a typical enterprise, patches are never installed on Patch Tuesday, they will have to go thru staging, testing and what not, meaning the server might not be patched. Chances are the administrator would also have installed the GUI for ease of configuration.

So now I have my possible attack vector, target Windows Server 2008 R2 exploits especially those pertaining to IIS 7.5.

I shall stop here and leave out the HOW of attacking a web server

Just like to point out a few things before I end off

Notice how all the things that I’ve done so far, looks like a normal process to anyone watching the logs if it even generated any.

I’ve left out social engineering and social media tracking from the picture (although this is one of the most used tools)

No DDos, portscan or any analysis which will cause high traffic is done, why? Because every system in the world takes this to be the first sign of a cyber attack and have configuration in place to block them.

I’m pretty sure the attack is NOT done by Anonymous, they are way better than that